Coturn, prosody, turncredentials vs external_services module

was about to write on that one as well :slight_smile:
perhaps check whether coturn is running and can load the certificate
systemctl status coturn.service
grep turnserver /var/log/syslog | grep -i "private key"
it should report no errors or warnings and something about the file was loaded.

coturn.service - coTURN STUN/TURN Server
Loaded: loaded (/lib/systemd/system/coturn.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-05-03 16:47:45 CEST; 24h ago
Docs: man:coturn(1)
man:turnadmin(1)
man:turnserver(1)
Main PID: 64241 (turnserver)
Tasks: 9 (limit: 65000)
Memory: 5.8M
CGroup: /system.slice/coturn.service
โ””โ”€64241 /usr/bin/turnserver --daemon -c /etc/turnserver.conf --pidfile /run/turnserver/turnserver.pid

what does journalct tell you ?
journalctl --unit coturn.service

i must correct myself:

May 4 17:51:43 meet-test turnserver: 0: WARNING: cannot find private key file: /etc/letsencrypt/live/turn-meet-test.xxx.xx/privkey.pem (1)
May 4 17:51:43 meet-test turnserver: 0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly

Here the turnserver.conf

# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=XXX
realm=meet-test.xxx.xx
cert=/etc/letsencrypt/live/turn-meet-test.xxx.xx/cert.pem
pkey=/etc/letsencrypt/live/turn-meet-test.xxx.xx/privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1

did you alter the turnserver.conf yourself ?
i think that should be taken care of by the posthook script as described in the guide.
check /etc/letsencrypt/renewal/.conf.
it needs to refer to a script. (look for hook)

I thought so, too.
But the config referenced the wrong (the jitsi) certificate/key, So i edited it. (Didnt work before change, too). But i will check the posthook script again.

Okay, one problem is, that coturn canโ€™t work with symlinks to letsencrypt certificates.
fixed it and now i get:

May 5 09:11:00 meet-test turnserver: 0: SSL23: Private key file found: /etc/jitsi/meet/turn-meet-test.xxx.xx.key
May 5 09:11:00 meet-test turnserver: 0: TLS1.2: Private key file found: /etc/jitsi/meet/turn-meet-test.xxx.xx.key
May 5 09:11:00 meet-test turnserver: 0: DTLS: Private key file found: /etc/jitsi/meet/turn-meet-test.xxx.xx.key
May 5 09:11:00 meet-test turnserver: 0: DTLS1.2: Private key file found: /etc/jitsi/meet/turn-meet-test.xxx.xx.key

TCP Fallback on 443 still not working.

turnserver log output in syslog looks fine for me, no error messages at all, except a โ€œcannot set DHโ€, what should not be a problem at all.